Chris PeBenito 0fbfa5
# macros for the cdrecord domain
Chris PeBenito 0fbfa5
# Author: Thomas Bleher <ThomasBleher@gmx.de>
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
define(`cdrecord_domain', `
Chris PeBenito 0fbfa5
type $1_cdrecord_t, domain, privlog;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
domain_auto_trans($1_t, cdrecord_exec_t, $1_cdrecord_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# The user role is authorized for this domain.
Chris PeBenito 0fbfa5
role $1_r types $1_cdrecord_t;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
uses_shlib($1_cdrecord_t)
Chris PeBenito 0fbfa5
read_locale($1_cdrecord_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# allow ps to show cdrecord and allow the user to kill it 
Chris PeBenito 0fbfa5
can_ps($1_t, $1_cdrecord_t)
Chris PeBenito 0fbfa5
allow $1_t $1_cdrecord_t:process signal;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# write to the user domain tty.
Chris PeBenito 0fbfa5
access_terminal($1_cdrecord_t, $1)
Chris PeBenito 0fbfa5
allow $1_cdrecord_t privfd:fd use;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow $1_cdrecord_t $1_t:unix_stream_socket { getattr read write ioctl };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow $1_cdrecord_t self:unix_dgram_socket create_socket_perms;
Chris PeBenito 0fbfa5
allow $1_cdrecord_t self:unix_stream_socket create_stream_socket_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
can_resmgrd_connect($1_cdrecord_t)
Chris PeBenito 0fbfa5
Chris PeBenito a08248
read_content($1_cdrecord_t, $1, cdrecord) 
Chris PeBenito a08248
Chris PeBenito 0fbfa5
allow $1_cdrecord_t etc_t:file { getattr read };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# allow searching for cdrom-drive
Chris PeBenito 2705f9
allow $1_cdrecord_t device_t:dir r_dir_perms;
Chris PeBenito 0fbfa5
allow $1_cdrecord_t device_t:lnk_file { getattr read };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# allow cdrecord to write the CD
Chris PeBenito 0fbfa5
allow $1_cdrecord_t removable_device_t:blk_file { getattr read write ioctl };
Chris PeBenito 0fbfa5
allow $1_cdrecord_t scsi_generic_device_t:chr_file { getattr read write ioctl };
Chris PeBenito 0fbfa5
Chris PeBenito 2705f9
allow $1_cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio };
Chris PeBenito 0fbfa5
allow $1_cdrecord_t self:process { getsched setsched fork sigchld sigkill };
Chris PeBenito 65a252
can_access_pty($1_cdrecord_t, $1)
Chris PeBenito a08248
allow $1_cdrecord_t $1_home_t:dir search;
Chris PeBenito a08248
allow $1_cdrecord_t $1_home_dir_t:dir r_dir_perms;
Chris PeBenito a08248
allow $1_cdrecord_t $1_home_t:file r_file_perms;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5